Entra Domain Services uses minimum SKU

Reliability · Entra Domain Services · Rule · 2025_06 · Important

The default SKU for Microsoft Entra Domain Services supports resiliency in a single region.

Description

By default, Microsoft Entra Domain Services (Azure AD DS) deploys a replica set in a single region. When using the Standard SKU, only a single replica set is supported. To deploy a replica set across multiple regions, a minimum of the Enterprise SKU must be used. Both the Enterprise and Premium SKUs support cross-region replication.

Deploying a replica set in multiple regions provides resiliency against region failures for this identity service. Even if multiple regions is not required for supporting running applications across multiple regions, it is often a requirement for disaster recovery.

Recommendation

Consider using a minimum Enterprise SKU to support resiliency across multiple regions.

Examples

Configure with Bicep

To deploy domains that pass this rule:

• Set the properties.sku property to Enterprise or Premium.

For example:

Azure Bicep snippet

resource ds 'Microsoft.AAD/domainServices@2022-12-01' = {
  name: name
  location: location
  properties: {
    sku: 'Enterprise'
    ldapsSettings: {
      ldaps: 'Enabled'
    }
    domainSecuritySettings: {
      ntlmV1: 'Disabled'
      tlsV1: 'Disabled'
      kerberosRc4Encryption: 'Disabled'
    }
    replicaSets: [
      {
        subnetId: primarySubnetId
        location: location
      }
      {
        subnetId: secondarySubnetId
        location: secondaryLocation
      }
    ]
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/aad/domain-service:<version>

To use the latest version:

br/public:avm/res/aad/domain-service:0.3.2

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Configure with Azure template

To deploy domains that pass this rule:

• Set the properties.sku property to Enterprise or Premium.

For example:

Azure Template snippet

{
  "type": "Microsoft.AAD/domainServices",
  "apiVersion": "2022-12-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "sku": "Enterprise",
    "ldapsSettings": {
      "ldaps": "Enabled"
    },
    "domainSecuritySettings": {
      "ntlmV1": "Disabled",
      "tlsV1": "Disabled",
      "kerberosRc4Encryption": "Disabled"
    },
    "replicaSets": [
      {
        "subnetId": "[parameters('primarySubnetId')]",
        "location": "[parameters('location')]"
      },
      {
        "subnetId": "[parameters('secondarySubnetId')]",
        "location": "[parameters('secondaryLocation')]"
      }
    ]
  }
}

Links

• RE:05 High-availability multi-region design
• Change the SKU for an existing Microsoft Entra Domain Services managed domain
• Tutorial: Create and use replica sets for resiliency or geolocation in Microsoft Entra Domain Services
• Azure Proactive Resiliency Library v2
• Azure deployment reference

Comments